| < draft-gont-opsec-ipv6-firewall-reqs-02.txt | draft-gont-opsec-ipv6-firewall-reqs-03.txt > | |||
|---|---|---|---|---|
| opsec F. Gont | opsec F. Gont | |||
| Internet-Draft SI6 Networks / UTN-FRH | Internet-Draft SI6 Networks / UTN-FRH | |||
| Intended status: Informational M. Ermini | Intended status: Informational M. Ermini | |||
| Expires: September 10, 2015 ResMed | Expires: September 22, 2016 ResMed | |||
| W. Liu | W. Liu | |||
| Huawei Technologies | Huawei Technologies | |||
| March 9, 2015 | March 21, 2016 | |||
| Requirements for IPv6 Enterprise Firewalls | Requirements for IPv6 Enterprise Firewalls | |||
| draft-gont-opsec-ipv6-firewall-reqs-02 | draft-gont-opsec-ipv6-firewall-reqs-03 | |||
| Abstract | Abstract | |||
| While there has been some work in the area of firewalls, concrete | While there has been some work in the area of firewalls, concrete | |||
| requirements for IPv6 firewalls have never been specified in the RFC | requirements for IPv6 firewalls have never been specified in the RFC | |||
| series. The more limited experience with the IPv6 protocols and the | series. The more limited experience with the IPv6 protocols and the | |||
| more reduced number of firewalls that support IPv6 has made it rather | more reduced number of firewalls that support IPv6 has made it rather | |||
| difficult to infer what are reasonable features to expect in an IPv6 | difficult to infer what are reasonable features to expect in an IPv6 | |||
| firewall. This has typically been a problem for network operators, | firewall. This has typically been a problem for network operators, | |||
| who typically have to produce a "Request for Proposal" from scratch | who typically have to produce a "Request for Proposal" from scratch | |||
| skipping to change at page 1, line 42 ¶ | skipping to change at page 1, line 42 ¶ | |||
| Internet-Drafts are working documents of the Internet Engineering | Internet-Drafts are working documents of the Internet Engineering | |||
| Task Force (IETF). Note that other groups may also distribute | Task Force (IETF). Note that other groups may also distribute | |||
| working documents as Internet-Drafts. The list of current Internet- | working documents as Internet-Drafts. The list of current Internet- | |||
| Drafts is at http://datatracker.ietf.org/drafts/current/. | Drafts is at http://datatracker.ietf.org/drafts/current/. | |||
| Internet-Drafts are draft documents valid for a maximum of six months | Internet-Drafts are draft documents valid for a maximum of six months | |||
| and may be updated, replaced, or obsoleted by other documents at any | and may be updated, replaced, or obsoleted by other documents at any | |||
| time. It is inappropriate to use Internet-Drafts as reference | time. It is inappropriate to use Internet-Drafts as reference | |||
| material or to cite them other than as "work in progress." | material or to cite them other than as "work in progress." | |||
| This Internet-Draft will expire on September 10, 2015. | This Internet-Draft will expire on September 22, 2016. | |||
| Copyright Notice | Copyright Notice | |||
| Copyright (c) 2015 IETF Trust and the persons identified as the | Copyright (c) 2016 IETF Trust and the persons identified as the | |||
| document authors. All rights reserved. | document authors. All rights reserved. | |||
| This document is subject to BCP 78 and the IETF Trust's Legal | This document is subject to BCP 78 and the IETF Trust's Legal | |||
| Provisions Relating to IETF Documents | Provisions Relating to IETF Documents | |||
| (http://trustee.ietf.org/license-info) in effect on the date of | (http://trustee.ietf.org/license-info) in effect on the date of | |||
| publication of this document. Please review these documents | publication of this document. Please review these documents | |||
| carefully, as they describe your rights and restrictions with respect | carefully, as they describe your rights and restrictions with respect | |||
| to this document. Code Components extracted from this document must | to this document. Code Components extracted from this document must | |||
| include Simplified BSD License text as described in Section 4.e of | include Simplified BSD License text as described in Section 4.e of | |||
| the Trust Legal Provisions and are provided without warranty as | the Trust Legal Provisions and are provided without warranty as | |||
| skipping to change at page 2, line 37 ¶ | skipping to change at page 2, line 37 ¶ | |||
| 8. Application Layer Firewall . . . . . . . . . . . . . . . . . 11 | 8. Application Layer Firewall . . . . . . . . . . . . . . . . . 11 | |||
| 9. Logging, Auditing and Security Operation Centre (SOC) | 9. Logging, Auditing and Security Operation Centre (SOC) | |||
| requirements . . . . . . . . . . . . . . . . . . . . . . . . 11 | requirements . . . . . . . . . . . . . . . . . . . . . . . . 11 | |||
| 10. Console and Events Visualization requirements . . . . . . . . 13 | 10. Console and Events Visualization requirements . . . . . . . . 13 | |||
| 11. Reporting requirements . . . . . . . . . . . . . . . . . . . 14 | 11. Reporting requirements . . . . . . . . . . . . . . . . . . . 14 | |||
| 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | 12. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 13. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | 13. Security Considerations . . . . . . . . . . . . . . . . . . . 14 | |||
| 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 | 14. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | 15. References . . . . . . . . . . . . . . . . . . . . . . . . . 14 | |||
| 15.1. Normative References . . . . . . . . . . . . . . . . . . 14 | 15.1. Normative References . . . . . . . . . . . . . . . . . . 14 | |||
| 15.2. Informative References . . . . . . . . . . . . . . . . . 15 | 15.2. Informative References . . . . . . . . . . . . . . . . . 16 | |||
| Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 17 | Authors' Addresses . . . . . . . . . . . . . . . . . . . . . . . 18 | |||
| 1. DISCLAIMER | 1. DISCLAIMER | |||
| This initial version of the document is based on a typical IPv6 | This initial version of the document is based on a typical IPv6 | |||
| firewall "Request for Proposal" (RFP), and is mostly meant to trigger | firewall "Request for Proposal" (RFP), and is mostly meant to trigger | |||
| discussion in the community, and define a direction for the document. | discussion in the community, and define a direction for the document. | |||
| Future versions of this document may contain all, more, or a subset | Future versions of this document may contain all, more, or a subset | |||
| of the requirements present in the current version of this document. | of the requirements present in the current version of this document. | |||
| Additionally, the current version DOES NOT yet properly separate | Additionally, the current version DOES NOT yet properly separate | |||
| requirements among MUST/REQUIRED, SHOULD/RECOMMENDED, and MAY/ | requirements among MUST/REQUIRED, SHOULD/RECOMMENDED, and MAY/ | |||
| skipping to change at page 14, line 43 ¶ | skipping to change at page 14, line 43 ¶ | |||
| Abrahamsson, Cameron Byrne, Brian Carpenter, Tim Chown, Jakub (Jake) | Abrahamsson, Cameron Byrne, Brian Carpenter, Tim Chown, Jakub (Jake) | |||
| Czyz, Marc Heuse, Simon Perreault, Carsten Schmoll, Robert Sleigh, | Czyz, Marc Heuse, Simon Perreault, Carsten Schmoll, Robert Sleigh, | |||
| Donald Smith, Qiong Sun, Gunter Van de Velde, and Scott Weeks, for | Donald Smith, Qiong Sun, Gunter Van de Velde, and Scott Weeks, for | |||
| providing valuable comments on earlier versions of this document. | providing valuable comments on earlier versions of this document. | |||
| 15. References | 15. References | |||
| 15.1. Normative References | 15.1. Normative References | |||
| [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | [RFC2119] Bradner, S., "Key words for use in RFCs to Indicate | |||
| Requirement Levels", BCP 14, RFC 2119, March 1997. | Requirement Levels", BCP 14, RFC 2119, | |||
| DOI 10.17487/RFC2119, March 1997, | ||||
| <http://www.rfc-editor.org/info/rfc2119>. | ||||
| [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | [RFC2460] Deering, S. and R. Hinden, "Internet Protocol, Version 6 | |||
| (IPv6) Specification", RFC 2460, December 1998. | (IPv6) Specification", RFC 2460, DOI 10.17487/RFC2460, | |||
| December 1998, <http://www.rfc-editor.org/info/rfc2460>. | ||||
| [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | [RFC4301] Kent, S. and K. Seo, "Security Architecture for the | |||
| Internet Protocol", RFC 4301, December 2005. | Internet Protocol", RFC 4301, DOI 10.17487/RFC4301, | |||
| December 2005, <http://www.rfc-editor.org/info/rfc4301>. | ||||
| [RFC4443] Conta, A., Deering, S., and M. Gupta, "Internet Control | [RFC4443] Conta, A., Deering, S., and M. Gupta, Ed., "Internet | |||
| Message Protocol (ICMPv6) for the Internet Protocol | Control Message Protocol (ICMPv6) for the Internet | |||
| Version 6 (IPv6) Specification", RFC 4443, March 2006. | Protocol Version 6 (IPv6) Specification", RFC 4443, | |||
| DOI 10.17487/RFC4443, March 2006, | ||||
| <http://www.rfc-editor.org/info/rfc4443>. | ||||
| [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | [RFC4861] Narten, T., Nordmark, E., Simpson, W., and H. Soliman, | |||
| "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | "Neighbor Discovery for IP version 6 (IPv6)", RFC 4861, | |||
| September 2007. | DOI 10.17487/RFC4861, September 2007, | |||
| <http://www.rfc-editor.org/info/rfc4861>. | ||||
| [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | [RFC0768] Postel, J., "User Datagram Protocol", STD 6, RFC 768, | |||
| August 1980. | DOI 10.17487/RFC0768, August 1980, | |||
| <http://www.rfc-editor.org/info/rfc768>. | ||||
| [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, RFC | [RFC0793] Postel, J., "Transmission Control Protocol", STD 7, | |||
| 793, September 1981. | RFC 793, DOI 10.17487/RFC0793, September 1981, | |||
| <http://www.rfc-editor.org/info/rfc793>. | ||||
| [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing | [RFC7045] Carpenter, B. and S. Jiang, "Transmission and Processing | |||
| of IPv6 Extension Headers", RFC 7045, December 2013. | of IPv6 Extension Headers", RFC 7045, | |||
| DOI 10.17487/RFC7045, December 2013, | ||||
| <http://www.rfc-editor.org/info/rfc7045>. | ||||
| [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of | [RFC7112] Gont, F., Manral, V., and R. Bonica, "Implications of | |||
| Oversized IPv6 Header Chains", RFC 7112, January 2014. | Oversized IPv6 Header Chains", RFC 7112, | |||
| DOI 10.17487/RFC7112, January 2014, | ||||
| <http://www.rfc-editor.org/info/rfc7112>. | ||||
| [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation | [RFC6145] Li, X., Bao, C., and F. Baker, "IP/ICMP Translation | |||
| Algorithm", RFC 6145, April 2011. | Algorithm", RFC 6145, DOI 10.17487/RFC6145, April 2011, | |||
| <http://www.rfc-editor.org/info/rfc6145>. | ||||
| [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains | [RFC3056] Carpenter, B. and K. Moore, "Connection of IPv6 Domains | |||
| via IPv4 Clouds", RFC 3056, February 2001. | via IPv4 Clouds", RFC 3056, DOI 10.17487/RFC3056, February | |||
| 2001, <http://www.rfc-editor.org/info/rfc3056>. | ||||
| [RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site | [RFC5214] Templin, F., Gleeson, T., and D. Thaler, "Intra-Site | |||
| Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214, | Automatic Tunnel Addressing Protocol (ISATAP)", RFC 5214, | |||
| March 2008. | DOI 10.17487/RFC5214, March 2008, | |||
| <http://www.rfc-editor.org/info/rfc5214>. | ||||
| [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through | [RFC4380] Huitema, C., "Teredo: Tunneling IPv6 over UDP through | |||
| Network Address Translations (NATs)", RFC 4380, February | Network Address Translations (NATs)", RFC 4380, | |||
| 2006. | DOI 10.17487/RFC4380, February 2006, | |||
| <http://www.rfc-editor.org/info/rfc4380>. | ||||
| 15.2. Informative References | 15.2. Informative References | |||
| [RFC2647] Newman, D., "Benchmarking Terminology for Firewall | [RFC2647] Newman, D., "Benchmarking Terminology for Firewall | |||
| Performance", RFC 2647, August 1999. | Performance", RFC 2647, DOI 10.17487/RFC2647, August 1999, | |||
| <http://www.rfc-editor.org/info/rfc2647>. | ||||
| [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms | [RFC4213] Nordmark, E. and R. Gilligan, "Basic Transition Mechanisms | |||
| for IPv6 Hosts and Routers", RFC 4213, October 2005. | for IPv6 Hosts and Routers", RFC 4213, | |||
| DOI 10.17487/RFC4213, October 2005, | ||||
| <http://www.rfc-editor.org/info/rfc4213>. | ||||
| [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering | [RFC4890] Davies, E. and J. Mohacsi, "Recommendations for Filtering | |||
| ICMPv6 Messages in Firewalls", RFC 4890, May 2007. | ICMPv6 Messages in Firewalls", RFC 4890, | |||
| DOI 10.17487/RFC4890, May 2007, | ||||
| <http://www.rfc-editor.org/info/rfc4890>. | ||||
| [RFC5180] Popoviciu, C., Hamza, A., Van de Velde, G., and D. | [RFC5180] Popoviciu, C., Hamza, A., Van de Velde, G., and D. | |||
| Dugatkin, "IPv6 Benchmarking Methodology for Network | Dugatkin, "IPv6 Benchmarking Methodology for Network | |||
| Interconnect Devices", RFC 5180, May 2008. | Interconnect Devices", RFC 5180, DOI 10.17487/RFC5180, May | |||
| 2008, <http://www.rfc-editor.org/info/rfc5180>. | ||||
| [RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole | [RFC5635] Kumari, W. and D. McPherson, "Remote Triggered Black Hole | |||
| Filtering with Unicast Reverse Path Forwarding (uRPF)", | Filtering with Unicast Reverse Path Forwarding (uRPF)", | |||
| RFC 5635, August 2009. | RFC 5635, DOI 10.17487/RFC5635, August 2009, | |||
| <http://www.rfc-editor.org/info/rfc5635>. | ||||
| [RFC6583] Gashinsky, I., Jaeggli, J., and W. Kumari, "Operational | [RFC6583] Gashinsky, I., Jaeggli, J., and W. Kumari, "Operational | |||
| Neighbor Discovery Problems", RFC 6583, March 2012. | Neighbor Discovery Problems", RFC 6583, | |||
| DOI 10.17487/RFC6583, March 2012, | ||||
| <http://www.rfc-editor.org/info/rfc6583>. | ||||
| [RFC7123] Gont, F. and W. Liu, "Security Implications of IPv6 on | [RFC7123] Gont, F. and W. Liu, "Security Implications of IPv6 on | |||
| IPv4 Networks", RFC 7123, February 2014. | IPv4 Networks", RFC 7123, DOI 10.17487/RFC7123, February | |||
| 2014, <http://www.rfc-editor.org/info/rfc7123>. | ||||
| [RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations | [RFC7126] Gont, F., Atkinson, R., and C. Pignataro, "Recommendations | |||
| on Filtering of IPv4 Packets Containing IPv4 Options", BCP | on Filtering of IPv4 Packets Containing IPv4 Options", | |||
| 186, RFC 7126, February 2014. | BCP 186, RFC 7126, DOI 10.17487/RFC7126, February 2014, | |||
| <http://www.rfc-editor.org/info/rfc7126>. | ||||
| [RFC2979] Freed, N., "Behavior of and Requirements for Internet | [RFC2979] Freed, N., "Behavior of and Requirements for Internet | |||
| Firewalls", RFC 2979, October 2000. | Firewalls", RFC 2979, DOI 10.17487/RFC2979, October 2000, | |||
| <http://www.rfc-editor.org/info/rfc2979>. | ||||
| [RFC3511] Hickman, B., Newman, D., Tadjudin, S., and T. Martin, | [RFC3511] Hickman, B., Newman, D., Tadjudin, S., and T. Martin, | |||
| "Benchmarking Methodology for Firewall Performance", RFC | "Benchmarking Methodology for Firewall Performance", | |||
| 3511, April 2003. | RFC 3511, DOI 10.17487/RFC3511, April 2003, | |||
| <http://www.rfc-editor.org/info/rfc3511>. | ||||
| [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, July 2010. | [RFC5927] Gont, F., "ICMP Attacks against TCP", RFC 5927, | |||
| DOI 10.17487/RFC5927, July 2010, | ||||
| <http://www.rfc-editor.org/info/rfc5927>. | ||||
| [I-D.ietf-opsec-ipv6-nd-security] | [I-D.ietf-opsec-ipv6-nd-security] | |||
| Gont, F., Bonica, R., and W. Will, "Security Assessment of | Gont, F., Bonica, R., and W. Will, "Security Assessment of | |||
| Neighbor Discovery (ND) for IPv6", draft-ietf-opsec-ipv6- | Neighbor Discovery (ND) for IPv6", draft-ietf-opsec-ipv6- | |||
| nd-security-00 (work in progress), October 2013. | nd-security-00 (work in progress), October 2013. | |||
| [RFC6274] Gont, F., "Security Assessment of the Internet Protocol | [RFC6274] Gont, F., "Security Assessment of the Internet Protocol | |||
| Version 4", RFC 6274, July 2011. | Version 4", RFC 6274, DOI 10.17487/RFC6274, July 2011, | |||
| <http://www.rfc-editor.org/info/rfc6274>. | ||||
| [CPNI-TCP] | [CPNI-TCP] | |||
| CPNI, , "Security Assessment of the Transmission Control | CPNI, , "Security Assessment of the Transmission Control | |||
| Protocol (TCP)", http://www.gont.com.ar/papers/ | Protocol (TCP)", http://www.gont.com.ar/papers/ | |||
| tn-03-09-security-assessment-TCP.pdf, 2009. | tn-03-09-security-assessment-TCP.pdf, 2009. | |||
| [SSL-VPNs] | [SSL-VPNs] | |||
| Hoffman, P., "SSL VPNs: An IETF Perspective", IETF 72, | Hoffman, P., "SSL VPNs: An IETF Perspective", IETF 72, | |||
| SAAG Meeting., 2008, | SAAG Meeting., 2008, | |||
| <http://www.ietf.org/proceedings/72/slides/saag-4.pdf>. | <http://www.ietf.org/proceedings/72/slides/saag-4.pdf>. | |||
| [FW-Benchmark] | [FW-Benchmark] | |||
| Zack, E., "Firewall Security Assessment and Benchmarking | Zack, E., "Firewall Security Assessment and Benchmarking | |||
| IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1, | IPv6 Firewall Load Tests", IPv6 Hackers Meeting #1, | |||
| Berlin, Germany. June 30, 2013, | Berlin, Germany. June 30, 2013, | |||
| <http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack- | <http://www.ipv6hackers.org/meetings/ipv6-hackers-1/zack- | |||
| ipv6hackers1-firewall-security-assessment-and- | ipv6hackers1-firewall-security-assessment-and- | |||
| benchmarking.pdf>. | benchmarking.pdf>. | |||
| [Junos-Teardrop] | [Junos-Teardrop] | |||
| Juniper, j., "Understanding Teardrop Attacks", Junos OS | Juniper, j., "Understanding Teardrop Attacks", Junos OS | |||
| Security Configuration Guide, 2010, | Security Configuration Guide, 2010, | |||
| <http://www.juniper.net/techpubs/software/junos-es/junos- | <http://www.juniper.net/techpubs/software/junos-es/junos- | |||
| es93/junos-es-swconfig-security/ | es93/junos-es-swconfig-security/ | |||
| understanding-teardrop-attacks.html>. | understanding-teardrop-attacks.html>. | |||
| [draft-gont-opsec-ipv6-eh-filtering] | [draft-gont-opsec-ipv6-eh-filtering] | |||
| Gont, F., Ermini, M., and W. Liu, "Recommendations on | Gont, F., Ermini, M., and W. Liu, "Recommendations on | |||
| Filtering of IPv6 Packets Containing IPv6 Extension | Filtering of IPv6 Packets Containing IPv6 Extension | |||
| Headers", draft-gont-opsec-ipv6-filtering-00, Work in | Headers", draft-gont-opsec-ipv6-filtering-00, Work | |||
| Progress, April 2014. | in Progress, April 2014. | |||
| [Kenney1996] | [Kenney1996] | |||
| Kenney, M., "The Ping of Death Page", 1996, | Kenney, M., "The Ping of Death Page", 1996, | |||
| <http://www.insecure.org/sploits/ping-o-death.html>. | <http://www.insecure.org/sploits/ping-o-death.html>. | |||
| [Meltman1997] | [Meltman1997] | |||
| Meltman, M., "new TCP/IP bug in win95", 1997, | Meltman, M., "new TCP/IP bug in win95", 1997, | |||
| <http://insecure.org/sploits/land.ip.DOS.html>. | <http://insecure.org/sploits/land.ip.DOS.html>. | |||
| [Myst1997] | [Myst1997] | |||
| End of changes. 36 change blocks. | ||||
| 44 lines changed or deleted | 77 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. The latest version is available from http://tools.ietf.org/tools/rfcdiff/ | ||||